modiloader | a6f32e30941f514dd14c55a472aa206326d9d7b03de75d5fb0d4f6f2f0708a71

Analysis

max time kernel
69s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 05:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96511869d9aa401533ad5ef9552e6790N.exe
Size

371KB
MD5

96511869d9aa401533ad5ef9552e6790
SHA1

ccacf622dcbdb7950b69ae131bf88199cc62731a
SHA256

a6f32e30941f514dd14c55a472aa206326d9d7b03de75d5fb0d4f6f2f0708a71
SHA512

bcc4aaf25f7005983b3fec95f7310cd38ed2c87810274edf0f5ca25425fb66c0c2f1603c439c36fbe6b6530e8dd957d0205733b96eeb1368d95a498575b4136c
SSDEEP

6144:u1GWAE41bXLmCU36wRC1UcC8ac5flewGXdbKvJrLctk33hSn1bAnHG8GEQcyz0Ry:uYfbmCKgZZ5fl6Xd+hrYtkhceHnGokqW

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral1/memory/2396-15-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2
behavioral1/memory/2396-17-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2
behavioral1/memory/2396-40-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2
behavioral1/memory/2156-41-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2
behavioral1/memory/2012-35-0x0000000000190000-0x000000000023A000-memory.dmp	modiloader_stage2
behavioral1/memory/2304-42-0x0000000000400000-0x0000000000504000-memory.dmp	modiloader_stage2

Executes dropped EXE 3 IoCs

pid	Process
2396	55.exe
2304	123.gip
2156	123.gip

Loads dropped DLL 5 IoCs

pid	Process
1676	96511869d9aa401533ad5ef9552e6790N.exe
1676	96511869d9aa401533ad5ef9552e6790N.exe
2396	55.exe
2396	55.exe
2396	55.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	96511869d9aa401533ad5ef9552e6790N.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9A53F4C1-4BE8-11EF-B36A-FEF21B3B37D6}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9A53F4C1-4BE8-11EF-B36A-FEF21B3B37D6}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A53F4CC-4BE8-11EF-B36A-FEF21B3B37D6}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A53F4C3-4BE8-11EF-B36A-FEF21B3B37D6}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2012	2156	123.gip	33

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\123.gip	55.exe
File opened for modification	C:\Program Files\123.gip	55.exe
File created	C:\Program Files\DaverDel.bat	55.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	123.gip

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.gip
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.gip
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96511869d9aa401533ad5ef9552e6790N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070006001b000700130030000e00	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EBB8CCA-552F-42AD-9B0E-EEDB02532FC7}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0EBB8CCA-552F-42AD-9B0E-EEDB02532FC7}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 80021160f5dfda01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003a1d5c74be4784448abc26efd4d2e31d0000000002000000000010660000000100002000000015bf2953afa21e7f147710419d2b8a00814152aa27cdece9c1e23828512c692d000000000e800000000200002000000062b54817e2f51320c3b8b02d096ea826c62071a873bdef7df4040d338a5e5753500000004b62e9a83ee48a26f07c8366da5fc08819b6880ac69fcb1ace765b771bc8d826b4e48f521435e4a0ead175a91bb10fa275b9258615d8e613963b7b1f045b7e900db743bb8120d1f8c1e34d7b65bb82a4400000000147673fb1688565e2534a0f6c249b548f236dd29603122bd243a09b71dcd845a7df64be6d34ef9fbefc1884075c92966fb7064cf47325ad1d551ff56db48b86	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-2a-ea-72-4c-2d	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070006001b00070013003500f302	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{4A811520-A2F1-4208-B5FB-F8D73E561713}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2396	1676	96511869d9aa401533ad5ef9552e6790N.exe	30
PID 1676 wrote to memory of 2396	1676	96511869d9aa401533ad5ef9552e6790N.exe	30
PID 1676 wrote to memory of 2396	1676	96511869d9aa401533ad5ef9552e6790N.exe	30
PID 1676 wrote to memory of 2396	1676	96511869d9aa401533ad5ef9552e6790N.exe	30
PID 1676 wrote to memory of 2396	1676	96511869d9aa401533ad5ef9552e6790N.exe	30
PID 1676 wrote to memory of 2396	1676	96511869d9aa401533ad5ef9552e6790N.exe	30
PID 1676 wrote to memory of 2396	1676	96511869d9aa401533ad5ef9552e6790N.exe	30
PID 2396 wrote to memory of 2304	2396	55.exe	31
PID 2396 wrote to memory of 2304	2396	55.exe	31
PID 2396 wrote to memory of 2304	2396	55.exe	31
PID 2396 wrote to memory of 2304	2396	55.exe	31
PID 2396 wrote to memory of 2304	2396	55.exe	31
PID 2396 wrote to memory of 2304	2396	55.exe	31
PID 2396 wrote to memory of 2304	2396	55.exe	31
PID 2156 wrote to memory of 2012	2156	123.gip	33
PID 2156 wrote to memory of 2012	2156	123.gip	33
PID 2156 wrote to memory of 2012	2156	123.gip	33
PID 2156 wrote to memory of 2012	2156	123.gip	33
PID 2156 wrote to memory of 2012	2156	123.gip	33
PID 2396 wrote to memory of 2812	2396	55.exe	34
PID 2396 wrote to memory of 2812	2396	55.exe	34
PID 2396 wrote to memory of 2812	2396	55.exe	34
PID 2396 wrote to memory of 2812	2396	55.exe	34
PID 2396 wrote to memory of 2812	2396	55.exe	34
PID 2396 wrote to memory of 2812	2396	55.exe	34
PID 2396 wrote to memory of 2812	2396	55.exe	34
PID 2012 wrote to memory of 2728	2012	IEXPLORE.EXE	36
PID 2012 wrote to memory of 2728	2012	IEXPLORE.EXE	36
PID 2012 wrote to memory of 2728	2012	IEXPLORE.EXE	36
PID 2012 wrote to memory of 2624	2012	IEXPLORE.EXE	37
PID 2012 wrote to memory of 2624	2012	IEXPLORE.EXE	37
PID 2012 wrote to memory of 2624	2012	IEXPLORE.EXE	37
PID 2012 wrote to memory of 2624	2012	IEXPLORE.EXE	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\96511869d9aa401533ad5ef9552e6790N.exe
"C:\Users\Admin\AppData\Local\Temp\96511869d9aa401533ad5ef9552e6790N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\55.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\55.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files\123.gip
    "C:\Program Files\123.gip"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\DaverDel.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812

C:\Program Files\123.gip
"C:\Program Files\123.gip"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2728
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DaverDel.bat

Filesize
146B

MD5
89235cd2b12f309c075f6d3b265e58e2

SHA1
9a86b961a3baf012545b7ea002c151d035b739da

SHA256
dd2905f7a32cc53d3dfbca53b1061093412f66de01f3329673194f35cc5a7e6f

SHA512
964dc3de753d007421842f712404426471eebc790446f98bd0c20bcaa8067f50a4f7fc43cc1713c8a1312161071351ec4ecc6fed86f36a4c901a43e1c5cd838e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b416ab0cecc8a7d3be69a9169a4b7faf

SHA1
90fe4b773ca40820afb740900c2cd0fa43206b56

SHA256
f2df710fa32401102f276cb8f8d74274df13dc262dd979e91cc6003c426aacc1

SHA512
5c8e6dfef923344365f2a2b1e717f75eb283e534bac26a1eb63fa47a2aa1220944e3ae3b10bfd376a4f83cbc7979b36c3d0e172a857efbd84c8f2d9191fa15c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeaf1f0445b3b173f3bfa7414ed287b9

SHA1
8ccda942825fd7cb7e4721421546b04aabc193c0

SHA256
32e3726b9fdf8ae2a257f7e2a28e374d602e6c57688df6f31bf9f3b8712478b9

SHA512
72b0041a6b610b6595cae6ce7fda5c5305145707ec521e20fe365de5d81172ec381b48c528fbe71f98bdee0fd1011a7f1bac9e3bb38847a884b10402679ec447

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1239d27a8d2ad7c87d6e1579f45bdf35

SHA1
9c8cfed2da47bf135172460ff98033513c844d2e

SHA256
02f5c8c86468f09fc0215df269c8da765a819792d13bb59f6f5d16e3d672cc74

SHA512
a56de3ab58c84e056b7db1b9bb03b3a96ccd051654f76e8fa4a8658f35f66e88c5d1f83f3881171f7b5950593dd5e5b52e30d2103b71f0d45481baad076a624d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bec4585a0d266bc4237d33873e0ae8cb

SHA1
27405345ee6d082b6804dab5df0f93de844039cc

SHA256
d53fe482a24ab6cd6b8c29ecf71b790e1a93adc1afd75272b01f510e625c4d84

SHA512
1484a51b0fbf727654fdbe4303dc48206014fb8111fd3164aaf589f09ea5da93f0503d8822fe61a99bc0dd7e313e88aadd4acbe9dee59be1dc7e9f5d53788fce

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eef06eba1703c797bd099963c54c0f5

SHA1
90fabbe68fe1bd7df9969217bdfd3a4acc88e14b

SHA256
dd53ad7654a80e176a9a5aaf423bf1c445ed74b1cf7a4e5cce6f88d2392d0abd

SHA512
d7ed23d66290b47ebccd9654996062917841929b003406fd069df49ef9e93c5a808fa64b1942de06d7fb7a71392adefdfc32fb37f75fb73304089630614a1d2d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d4068c5d6b2402076bbe2212f59be74

SHA1
d404946dc865b1597c42d201e0bcb2649a352eaf

SHA256
0e4f7cdaae374cbdad742058428eb4f4f054f0cad2bc0ad904022ac24efcb03e

SHA512
9fd0e762897bd7078da9a3b3a00789bcbe23670ed8ad239d811b28b086950f76868eb6a6aa67165f15df1c1b7dd41660d7451c5f5741b9e5b128c8e6a33b310f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a189b56775e5ecf0a3fd08340e8164f9

SHA1
0aec4fd4c2913296f39057aed83b8af3dce0bc9b

SHA256
722d2ce5d25b223e0e30397ebd822db0eff9763089572ddea9ca2aa9704f593e

SHA512
f64c0c6c13e943ea94c63d019fdedc356160297b02cb57444dd3176b0ce6e0412c3fb2af0a6c4e0c92cb0822d5e8eb35a58d6bdc8555cd39b9d784659dda6c6e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5027a3ba12c7fb5e4e89afc4e84a2c6a

SHA1
e9d6390910e6d82802990de753d2c4ed7dbb2be9

SHA256
99f8c7594ec41dd79649aad9c4d13ae65e22ac4c5666572381da639b3d9d1f84

SHA512
926b75f159e8fbc5363f3c50fb0da259d987ec7030193b5a11b17dd5cecc6d5d4885e12dadc989606d5f0f803d0bcb6ddfa2398d86c695693d61ebc0479215ca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dee5703fbe698fbce21dfdc0e5a45b2

SHA1
937cb8bd08be004b8f40d561f93eb31d751a3cbb

SHA256
ef84291babcbf62970e9e176247848d0ee4ba14946f904317439b9079aea1e5b

SHA512
88175fcae28d5b3b91db10a68a2cbcd8e60473731e73ee575c6812d0eaef5533a86758670ef29b77284c53c519f8359539c1f3c915f3e618cadd7b044e20f686

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66723cdf47e98da07185072a067af312

SHA1
92134898bbde8a56a38b74ac7daeb3ef01079b1f

SHA256
50c2e9fc97b0f4bd1f5b617eb3f2707cb99b1a841cf8d7f5f6bee86019bc71e2

SHA512
e678be97bab4f767ddc145885a51d0b1e2e4b4215e0b07c1398006a137dc899957ba5af8d1e103917f995e7efde0aa413089d4fe9488ae8dffaf1dfa25c2378b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3791445e84fd77cca2b3af61449eb06

SHA1
000587271b9cd6e6964d244aa3860a3677227046

SHA256
5ba55fe5ac0a80638cfccf38220f6c3f6ea4e21209c6b2ccb391f0b13b18d561

SHA512
19fa4a3a6d9c2426dda6425e5beaf5f9e8e0dbba08f060669e4d3bd4d0c50fb964c8304f1fb2911d13b2db751e10b14840fa7e1bfe8e6a437d10e1352e920d2e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4d650e8e07acbffb7a91b2d1a6d1937

SHA1
a9acbb126839b46ff22e4a035518c0a886d77092

SHA256
9b72c991bdec0cec9ef63dfccad6e706fa7c3dce1863237756f22ba583960046

SHA512
f54eae1be0b05fa8f5c9996eb4a564f257da93f9912b12140c9da64691ecf461e1ce366ea147ab287bce11210d79b9f235a88cbd5975eda87100e320a6f454ee

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9a4f64fdab650e1cdc2b4a3ee27ea56

SHA1
e261cf37b74c60704d6cb5e313d335c53fefcf4c

SHA256
189c7b853da907593cd373191fec249ab5c27f44b3b6e073719ccc0142353302

SHA512
10630b2ebb218305365606efa5906e0a094b1538f6dc3e70a596be4364abaca921ab1fb14fafd0e385c78539b4b6e468955a04500ffe170940ac6f3a1105011c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
212d72879ce404d203498542e18da618

SHA1
ec927554d3837d276527f7917738cf77d3b86c12

SHA256
f8d01d0022bbd6c0b76b7ba46d5b95075db0b3c8734103a2fa472244f47898a6

SHA512
2914addf7cc6345e5bab43810a8f478991dca9210542ad70354b715133a3816172bfbac6c3a375b8b2d291cd599bcc7cea7c7e21462bfac579c6412ba36a8f22

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
413d556c1ad6ad2dad526313ce33ecb6

SHA1
80675f6fbe484832118787b6ebb089408f1fde84

SHA256
aad374955ab37bf171b589477b9754075261ab3181589839628868ffe568ef9a

SHA512
dd4a22edb3fd26b319df2f86ade667f3a938e5281f359c94058e9be05746c07a8bf32f4ff1bd169d6e3c1595e4a4ffe8b83d0fb93b37997c5fb718d495980105

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b745b333a216054b47d98dee9c09b82

SHA1
21538354fbc60c0d0d65e445e318f26b9bd9f27f

SHA256
6797f0306ee8b95fed8e2d7c93e321dcaa94c8aaeb5d032a97c4cd3cde9fee75

SHA512
97b5164e1b19d7c247e4656644dd8374260f91112a85faf8772c3e13a3eee6c640a50c432fef598afbebc144810fce2163e8b98515b8da09bf4d950813170ec4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a8a82613a95cf5ad0eb2d46291eba21

SHA1
405d3ab17b2584f2ffb77b3b9a087450ffabb2f9

SHA256
49edb977b435696e022d487c99347f75a2ab77a8e8b9955fa46617ad9fca4e9f

SHA512
b683fe85a1bdfd1c992de0111bfd547b333549ce34e7c276e9b005424c609082dbcf0957578994df9ff338a69e9806ab95522876015950cf3a1bc1a0463ba294

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b6c7f90db69a8487f37b271034d9ba5

SHA1
e5feb1861f6f0952caf64c809d7c1baad016d495

SHA256
052a2f7dd1d550f91276f7039d38f26554f5b1bd2585d807ed707e6b0b318976

SHA512
50fabdba04083d6fe598f7801856bf01f5f54e39936e997321c4736270260dd6d300d8786fb03a379bfa4a67b5dd217e6ddeb407385e15479c8d785018f5fd30

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8bf314a0a5c358bba1ca9f6c471b17b

SHA1
45e98f20676f15dffcf88144016d5fc07dcc4373

SHA256
4996aac0542a9c1e0cd9ac594a24d811ade67ef4b7002c27f32bcd6e72061b67

SHA512
3702c2daeef3802e87ae21aa7a7279433aea60a7afaf1a26f0857fc86b475d1844a07c026a1fa3e831a7feda6f172a6e15b58645c2cfcce7b364c98ed454528e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5479a5645492a4d639d0b4a49b2a35b

SHA1
33f63819187428ef882be75a4ab5d1370fdc8b05

SHA256
d3a5f9c78b3608312eeb090f15a320738b2ba54f7c4ba61cad459e46d5379776

SHA512
33a13934a4ccf4fd977945302af33c4a53aa1105a46d5cd74683394a68ec750b48e161f28f30469cf09d3af7261d90bb4253ec555ca0be112eb0ae78ef3379be

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f266bcd3f7a50d7b663a0bdb7d4b27b9

SHA1
00008d002e5df26fe025a16971feed9aeffa6a8f

SHA256
311c76a4ed63e2bc9c4fe96944e5e963a602fffee72bae5355f1c1f455aa5bb4

SHA512
dca88058b1e108d8db0feb28818f9591f6b909a8cb3f6dff191554636ae50a3102112d93a7312b10a58e3901138287a50a2659a6717d34916e1a98c218498662

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b9bc05805b8f6067983595106443ac72

SHA1
9b5c18cd623ae9eadd405e88b660645e193aafed

SHA256
d6d2dd0d68fd46593ebb09c02189569c5c071e786dfa37e0ddb574d66a1b9b27

SHA512
6c8865f224ff868c0cbce6bb42f81cef23dee576a0d364863d7992656679747ef43a47e5062de4367d99d4a32408cbfef421437a2c104a68eb2f524ebec0e255

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabD982.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarD985.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarDAE5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwCEA7.tmp

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\55.exe

Filesize
297KB

MD5
e1cfde1122c619549e271f0430f7b99b

SHA1
668012e0ba787651326a5d009c1fbc9e73d7ad72

SHA256
7c6c0cd68d70e14247e0fb3b1fadcc0ca39a961819a1d10913c924da8ace5f24

SHA512
4156706e1a35a0b3729998c3d95aa0a6d25e9ea16f94db188227561bb3e4df52435ec56f72a41f4391cf988ac2f923a17c5fe6d8347db38d42972b7ea7f9d2e9

Download Submit
memory/1676-4-0x00000000009A0000-0x0000000000AA4000-memory.dmp

Filesize
1.0MB

Download
memory/1676-9-0x00000000009A0000-0x0000000000AA4000-memory.dmp

Filesize
1.0MB

Download
memory/2012-35-0x0000000000190000-0x000000000023A000-memory.dmp

Filesize
680KB

Download
memory/2156-41-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2156-30-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2304-42-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2304-25-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2304-28-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2304-27-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2396-40-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2396-16-0x00000000004B8000-0x00000000004B9000-memory.dmp

Filesize
4KB

Download
memory/2396-17-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2396-15-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads